cryptography lecture 3 arpita patra. quick recall and today’s roadmap >> construction based...
TRANSCRIPT
Cryptography
Lecture 3
Arpita Patra
Quick Recall and Today’s Roadmap
>> Construction based on PRG
>> Overview of Proof by reduction
>> Proof of PRG-based SKE
>> Extension of CO-security to CO-MULT-security and the second is stronger than previous
>> Chosen Plaintext Attack (CPA), CPA Security, stronger than previous notions; minimum requirement for any SKE
>> Is it practical?
>> A construction for CPA-secure scheme
>> Proof of Security
>> Extension to CPA-MULT-security
>> Modes of Operations (very efficient construction used in practice)
Chosen-Plaintext Attacks (CPA)(Single-message Security)
k k??
Encm c = Enck(m)
(m1, c1), (m2, c2), …, (mt, ct): ci = Enck(mi)
>> Adversary influences the honest parties to get encryption of plain-texts (using the same key) of its choice
m1
c1
m2
c2
mt
ct
>> Adv’s Goal: to determine the plain-text encrypted in a new cipher-text
Encryption Oracle
CPA
M. Luby: Pseudorandomness and Cryptographic Applications; Princeton University Press, 1996
Mihir Bellare, Anand Desai, E. Jokipii, Phillip Rogaway:A Concrete Security Treatment of Symmetric Encryption. FOCS: 394-403, 1997
Is CPA Realistic ?
How can an attacker influence parties to encrypt messages of its choice (using the same key) ?
Consider a secure hardware with secret-key embedded>> Often used in military applications
An insider may have access to the hardware (not the key)>> Can choose messages of its choice and get their encryptions
CPA shortened WWII by 2-3 Years Breaking of German codes by British during WW II
Loc1 Loc2
Loc3
Enck(Loc
1)
Enck(Loc
2)Enc
k(Loc3
)
Trivia: Who played a key role in this cryptanalysis process
At Bletchley ParkAxis Power
Allied Power
CPA Indistinguishability Experiment
= (Gen, Enc, Dec), , n
Gen(1n)
k
PrivK (n)A,
cpa
Query: Plain-text
Response: Ciphertext
Training Phase:
>> A is given oracle access to Enck()
>> A adaptively submits its query (free to submit m0, m1) and receives their encryption
I can break Let me verify
PPT Attacker A
CPA Indistinguishability Experiment
= (Gen, Enc, Dec), , n
Gen(1n)
k
PrivK (n)A,
cpa
Challenge Phase:
Training Phase
>> A submits two equal length challenge plaintexts
>> A is free to submit any message of its choice (including the ones already queried during the training phase)
>> One of the challenge plaintexts is randomly encrypted for A (using fresh randomness)
m0, m1 , |m0| = |m1|
b {0, 1}
c Enck(mb)
I can break Let me verify
PPT Attacker A
CPA Indistinguishability Experiment
= (Gen, Enc, Dec), , n
I can break Let me verify Gen(1n)
k
PrivK (n)A,
cpa
PPT Attacker A
Post-challenge Training Phase:
Training Phase
m0, m1 , |m0| = |m1|
b {0, 1}
c Enck(mb)
>> A is given oracle access to Enck()
>> A adaptively submits its query (possibly including m0, m1) and receives their encryption
Query: Plain-text
Response: Ciphertext
CPA Indistinguishability Experiment
= (Gen, Enc, Dec), , n
I can break Let me verify Gen(1n)
k
PrivK (n)A,
cpa
PPT Attacker A
Response Phase:
Training Phase
m0, m1 , |m0| = |m1|
b {0, 1}
c Enck(mb)
Post-challenge Training
A finally submits its guess regarding encrypted challenge plain-text
A wins the experiment if its guess is correct
b’ {0, 1}
Game Outputb = b’
1 --- attacker won
b b’0 --- attacker lost
CPA Security
= (Gen, Enc, Dec), , n
I can break Let me verify Gen(1n)
k
PrivK (n)A,
cpa
PPT Attacker A
Training Phase
m0, m1 , |m0| = |m1|
b {0, 1}
c Enck(mb)
Post-challenge Training
b’ {0, 1}
Game Outputb = b’
1 --- attacker won
b b’0 --- attacker lost
½ + negl(n)
Pr PrivK (n)A,
cpa= 1
is CPA-secure if for every PPT A, there is a negligible function negl, such that:
Search for Ingredients of CPA-Secure Scheme
x1 = 00000…0
y1 R {0,1}n
x2 = 00000…1
…
x2n =
11111… 1
y2n R
{0,1}n
y2 R {0,1}n
…
x1 = 00000…0
y1 R {0,1}n
x2 = 00000…1
…
x2n =
11111… 1
y2n R
{0,1}n
y2 R {0,1}n
…
f: {0,1}n {0, 1}nf: {0,1}n {0, 1}n
Encm
yi
c = (xi, m yi)
??
Pad yi is truly random
>> Instances of OTP >> Problem with the above
solution--- size of f is n2n bits
Encryption procedure cannot be deterministic. Can u find an attack?
>> Need “fresh” randomness for each run of Enc. Results different ciphertexts for the same message
>> At the same time want to use a “single key”.
Encryption procedure MUST be randomized
Ingredient for CPA-secure SKEs
Need a smarter tool. A short key.
Pseudorandom Function (PRF)
O. Goldreich, S. Goldwasser and S. Micali. How to Construct Random Functions. JACM, 33(4), 792-807, 1986
Pseudorandom Functions (PRF) What is a truly random function (TRF) ?
>> Whose output behavior is completely unpredictable
>> Given an input, it randomly assigns one element from the co-domain as the output
>> Every element from the co-domain is a possible image with equal probability
What is a PRF ?
>> Intuitively a function whose output behavior “looks like” a TRF>> As long as the “entity” who observes is computationally bounded
>> Randomness/Pseudorandomness tag of a function is meaningful when it is drawn from a distributions of functions.
Given a function f: is it TRF or PRF ?
TRF vs PRF
For simplicity, consider functions from {0,1}n to {0,1}n
Funcn = {f1, f2, …, f } --- family of all such functions2n. 2n
A function chosen uniformly at random from the above is a TRF
PRFs are keyed functions; given key and input, there is an efficient way of computing a PRF
Funcn = {Fk1, …, Fk } –-- family of keyed functions with key
length n2n
|Funcn| >>>>>>>>>>>
|Funcn|
A function chosen uniformly at random from the above is a PRF
A possible Definition of PRF in PRG style
Give F (table) either uniformly sampled from Funcn or from to PPT distinguisher D and ask if it is a TRF or PRF.
>> If D cannot tell apart the “behavior” of the function Fk (for a
uniformly random k) from a truly random function f: {0,1}n
{0,1}n, then we say f is a PRF.
>> Does it work?
>> No, since the description of the function is of exponential size >> Instead we give D oracle access to either a TRF or a PRF and ask “tell us who are you interacting with?”
Funcn
Indistinguishability Game for PRF
PPT distinguisher D
Value of the function
at x1
x 1
b= 0
y 1 =
f(x 1
)
OracleFuncn = {f1, f2, …, f } 2n. 2n
Value of the
function at x1
is y1
f R Funcn
F: {0, 1}n x {0, 1}n {0, 1}n
Funcn= {Fk1
, …, Fk }2n b
Indistinguishability Game for PRF
PPT distinguisher D
Value of the function
at xt
x t
b= 0
y t = f(
x t)
OracleFuncn = {f1, f2, …, f } 2n. 2n
Value of the
function at xt
is yt
f R Funcn
F: {0, 1}n x {0, 1}n {0, 1}n
Funcn= {Fk1
, …, Fk }2n b
• D can adaptively asks its queries
• D allowed to ask polynomial number of queries
Indistinguishability Game for PRF
PPT distinguisher D
Value of the function
at x1
Funcn = {f1, f2, …, f } 2n. 2n
Value of the
function at x1
is y1
F: {0, 1}n x {0, 1}n {0, 1}n
Funcn= {Fk1
, …, Fk }2n b
b= 1
k R {0,1}n
y1= F
k (x1 )
Fk
x1
Indistinguishability Game for PRF
PPT distinguisher D
Value of the function
at xt
Funcn = {f1, f2, …, f } 2n. 2n
Value of the
function at xt
is yt
F: {0, 1}n x {0, 1}n {0, 1}n
Funcn= {Fk1
, …, Fk }2n b
b= 1
k R {0,1}n
yt= F
k (xt )
Fk
xt
• D can adaptively asks its queries
• D allowed to ask polynomial number of queries
Modeling PRF as an Indistinguishability Game
PPT distinguisher D
Funcn = {f1, f2, …, f } 2n. 2n
F: {0, 1}n x {0, 1}n {0, 1}n
F is a PRF if for every PPT D there is an negl(n)
(x1, y1), (x2, y2),…, (xk, yk)
?
?
negl(n)Pr [D (1n) = 1]Fk( )
>> uniformly random k
>> D‘s randomness
Pr [D (1n) = 1]f( )
>> uniform choice of f
>> D’s randomness
-| |
>> D not given k in the above game--- otherwise D can distinguish with high probability
Funcn= {Fk1
, …, Fk }2n
Existence of PRF• Do PRF exists ?
• OWF PRG PRF (Tree Construction) (otheway is also possible; take as an HW)
• Several practical PRFs
>> No good distinguishers found till now; believed to be PRF
>> High practical efficiency compared to provably-secure PRFs
>> NT based; Not used in practice
>> Block Ciphers, AES, DES
>> AES/DES are PRFs: this is an assumption
PRF-based CPA-Secure Scheme
Potential solution
Let us agree on a truly random function
x1 = 00000…0
y1 R {0,1}n
x2 = 00000…1
…
x2n =
11111… 1
y2n R
{0,1}n
y2 R {0,1}n
…
(secret meeting / mechanism)
Look-up table of a TRF f from {0,1}n to
{0, 1}n
Fixed-length CPA-Secure Encryption from PRF• Let F be a length-preserving PRF (just for simplicity)
F: {0, 1}n x {0, 1}n {0, 1}n
• Construct a CPA-secure encryption cipher for messages of length n
m,k
c
Secret PRF-key k
(key-agreement)
c,k
Fixed-length encryption
Enck(m)
>> r in {0, 1}n
>> c = (r, m Fk(r))
Deck(c = (c0,c1))
>> m = c1 Fk(c0)
Security Proof
Theorem. If Fk is a PRF, then is a CPA-secure scheme.
Proof: On the board.
m,k
c
Secret PRF-key k
(key-agreement)
c,kEnck(m)
>> r in {0, 1}n
>> c = (r, m Fk(r))
Deck(c = (c0,c1))
>> m = c1 Fk(c0)
Recall Security Proof of PRG-based Scheme
Theorem. If G is a PRG, then is a CO-secure scheme.Proof: Assume is not secure
m,k
c
Secret PRG-key k
c,kEnck(m)
>> c = m G(k)
Deck(c)
>> m = c G(k)
A, p(n): ½ + 1/p(n)Pr PrivK (n)A,
co= 1 >
ADy{0,1}l(n
)
Let us run PrivK (n)A,
co
m0, m1R , |m0| = |m1|
b
c = mb y
b’ {0, 1}
PRS or RS?
½ Pr PrivK (n)A,
co= 1 =
1 if b = b’
0 otherwise
Pr [D(y) = 1]
Pr [D(G(s)) = 1]
= =
Pseudo Random Permutation (PRP)
PPT distinguisher D
F: {0, 1}n x {0, 1}n {0, 1}n
(x1, y1), (x2, y2),…, (xk, yk)
?
?
Distinct pairs
Permn = {f1, f2, …, f }
(2n)!
Permn= {Fk1
, …, Fk }2n
F is a PRF if for every PPT D there is an negl(n)
negl(n)Pr [D (1n) = 1]Fk( )
>> uniformly random k
>> D‘s randomness
Pr [D (1n) = 1]f( )
>> uniform choice of f
>> D’s randomness
-| |
PPT distinguisher D
Permn = {f1, f2, …, f }
(2n)!F: {0, 1}n x {0, 1}n {0, 1}n
(x1, y1), (x2, y2),…, (xk, yk)
?
?
negl(n)Pr [D (1n) = 1]
Fk( ) -| |
(y1, x1), (y2, x2),…, (yk, xk)
, Fk-1( )
Pr [D (1n) = 1]
f( ) , f-1( )
Strong PRP
>> Any strong PRP is by default a PRP>> What about the converse ?
Permn= {Fk1
, …, Fk }2n
F is a PRF if for every PPT D there is an negl(n)
>> uniformly random k
>> D‘s randomness
>> uniform choice of f
>> D’s randomness
Practical instantiation of CPA-secure SKE from only PRP/Strong PRP
PRF/PRP/SPRP
>> Operates on block of message at a time --- hence the name
>> Ex: AES, DES; No distinguisher found so far
Theoretical instantiation of CPA-secure SKE from any PRF/PRP/SPRP.
>> Blocks ciphers
CPA Security for Multiple Encryptions
= (Gen, Enc, Dec), , n
I can break Let me verify Gen(1n)
k
PrivK (n)A,
cpa-mult
PPT Attacker A
Training Phase
b {0, 1}
Post-challenge Training
b’ {0, 1}
Game Outputb = b’
1 --- attacker won
b b’0 --- attacker lost
(freedom to choose any pair)
M0 = (m0,1, …, m0,
t)
M1 = (m1,1, …, m1,
t)
c1 Enck(mb,1) ct Enck(mb, t),…,
½ + negl(n)
Pr PrivK (n)A,
cpa-mult
= 1
is CPA-secure for multiple encryptions if for every PPT A, there is a negligible function negl, such that:
CPA Multiple-message vs Single-message Security
Experiment is a special case ofPrivK (n)A,
cpaPrivK (n)
A,
cpa-mult
Set |M0| = |M1| = 1
Any cipher that is CPA-secure for multiple encryptions is also CPA-secure (for single encryption)
What about the converse ?
>> Converse was not true in the case of co-security>> Ciphers with indistinguishable encryption for single message but no indistinguishable multiple encryptions
Theorem: Any cipher that is CPA-secure is also CPA-secure for multiple encryptions
Sufficient to prove CPA-security for single encryption; rest is “for free”
CPA-security Guarantee in Practice
Ensures security against CPA even if multiple messages are encrypted using a single key and communicated
>> Even if the adversary knows that the encrypted messages belong to one of the two possible “classes”
>> Even if the adversary has seen encryptions of the messages in those classes in the past
Very good security guarantees
>> The least we should expect from a cipher
CPA-security for Arbitrary-length Messages (Theoretical Construction)
Let = (Gen, Enc, Dec) be a fixed-length CPA-secure based on PRP/SPRP/PRF. Supports message of length
m1 m2 m3
n n n
Gen
c1 c3 c6k
m
c1c2…c6 Enck(m)
Enck(m)
r in {0, 1}n
c = (r, m Fk(r))
Enck(m)
r in {0, 1}n
c = (r, m Fk(r))
Enck(m)
r in {0, 1}n
c = (r, m Fk(r))
How Good it is?
Randomness Usage
Ciphertext Expansion
Ciphertext Computation Parallelizable
Randomness Reusability
Minimal Assumption (PRF/PRP/SPRP)
CPA Security
Theoretical Construction
n / Block = kn
2n / Block = 2kn
Yes
No
PRF
Yes
Finally
n / Overall = n
k n + n
Yes
Yes
PRF
Yes
Assume Message Blocks: k; |m| = k n
Block-cipher Modes of Operations Given
A length-preserving block cipher F (may be a PRF/PRP/SPRP) with block length n
Keyed Algorithm F
k R {0, 1}n
x {0, 1}nFk(x) = F(k, x) {0, 1}n
Goal
To encrypt a message m = m1m2 … mk using F with ciphertext length as small as possible and with randomness as less as possible.
Without loss of generality --- each mi {0,1}n
m1m2 m3 m4 … mkm
{0,1}n {0,1}n {0,1}n {0,1}n {0,1}n {0,1}n
Electronic Code Book (ECB) Mode
m1 m2 m3m
Gen
k
F F F
c1 = Fk(m1) c2 = Fk(m2) c3 = Fk(m3)
Decryption: compute mi = Fk-1(ci) >> Assumes Fk
is SPRP.
CPA Security ?
>> No. not even CO security for multi message
>> Deterministic Encryption
Encryption: compute ci = Fk(mi) – No randomness used at all !
|c| = |m|
Parallelizable!
Current Picture
Randomness Usage
Ciphertext Expansion
Ciphertext Computation Parallizable
Randomness Reusability
Minimal Assumption (PRF/PRP/SPRP)
CPA Security
Theoretical Construction
n / Block = kn
2n / Block = 2kn
Yes
No
PRF
Yes
ECB Mode
No randomness
k n
Yes
---
SPRP
NO
Assume Message Blocks: k; |m| = k n
Cipher Block Chaining (CBC) Mode
m1 m2 m3m
Gen
k
F
F F
IV
c1 = Fk(m1c0)c0 c2 = Fk(m2c1) c3 = Fk(m3c2)
Encryption ci = Fk(mici-1), for i = 1, …, k Enck(m1 m2 … ml) = (c0 c1… cl)
Decryption: mi = Fk-1(ci) ci-1, for i = 1, …, l >> Assumes Fk
is SPRP.
CPA Security ? >> Randomized Encryption. Provides CPA security. HW
Blockwise Parallel Computation ?
>> NO
Current Picture
Randomness Usage
Ciphertext Expansion
Ciphertext Computation Parallizable
Randomness Reusability
Minimal Assumption (PRF/PRP/SPRP)
CPA Security
Theoretical Construction
n / Block = kn
2n / Block = 2kn
Yes
No
PRF
Yes
ECB Mode
No randomness
k n
Yes
---
SPRP
NO
Assume Message Blocks: k; |m| = k n
CBC Mode
n
k n + n
NO
---
SPRP
YES
m1 m2 m3m
Gen
k
F
F F
IV
c1 = Fk(m1c0)c0 c2 = Fk(m2c1) c3 = Fk(m3c2)
Choosing distinct IV enough ? Can save randomness
IV Misuse in CBC Mode
Unfortunately this version of CBC mode is not cpa-secure-- Assignment
m1 m2 m3m
Gen
k
F
F F
IV
c1 = Fk(m1c0)c0 c2 = Fk(m2c1) c3 = Fk(m3c2)
Can the last ciphertext of previous block act as the IV for next encryption ?
IV misuse in CBC Mode
Bandwidth and randomness saving
m1
m2 m3M1
Gen
k
F
F F
IV1
c1c0 c2 c3
IV misuse in CBC Mode
m4
m5 m6M2
IV2
c4
k
F
F F
c5 c6 c7
Ideal way of encrypting two messages via CBC mode
Can the last ciphertext of previous block act as the IV for next encryption ? Bandwidth and randomness saving
m1
m2 m3M1
Gen
k
F
F F
IV1
c1c0 c2 c3
IV misuse in CBC Mode- Chained CBC
m4
m5 m6M2
k
F
F F
c4 c5 c6
Chained CBC mode
Can the last ciphertext of previous block act as the IV for next encryption ?
>> Bandwidth and randomness saving
Chained CBC mode --- used in SSL 3.0 and TLS 1.0
>> Stateful variant of CBC
CPA security? >> It is “equivalent” to encrypting a single large message M = M1 || M2 via CBC mode>> Yet Not CPA-secure
No modifications to crypto schemes even if the modifications look benign
BEAST attack on SSL/TSL
Output Feedback (OFB) Mode
m1 m2 m3m
Gen
k
F F F
IV
y1 = Fk(y0)y0 y2 = Fk(y1)
c1 = y1m1
First generate a pseudorandom stream of pad (independent of m)
Use the pseudorandom stream for masking m
y3 = Fk(y2)
c2 = y2m2 c3 = y3m3c0
Encryption: Enck(m1 m2 … ml) = (c0 c1… cl)
Output Feedback (OFB) Mode
m1 m2 m3m
Gen
k
F F F
IV
y1 = Fk(y0)y0 y2 = Fk(y1)
c1 = y1m1
Not parallalizable but pre-computable
CPA-secure! The chained version too!
y3 = Fk(y2)
c2 = y2m2 c3 = y3m3c0
Encryption: Enck(m1 m2 … ml) = (c0 c1… cl)
Decryption: mi = F(yi-1) ci PRF Enough !
Current Picture
Randomness Usage
Ciphertext Expansion
Ciphertext Computation Parallizable
Randomness Reusability
Minimal Assumption (PRF/PRP/SPRP)
CPA Security
Theoretical Construction
n / Block = kn
2n / Block = 2kn
Yes
No
PRF
Yes
ECB Mode
No randomness
k n
Yes
---
SPRP
NO
Assume Message Blocks: k; |m| = k n
CBC Mode
n
k n + n
NO
---
SPRP
YES
OFB Mode
n
k n + n
NO (But pre-computable)
YES
PRF
YES
Counter (CTR) Mode
m1 m2 m3m
Gen
k
F F F
CTR {0, 1}n
y1 y2
c1 = y1m1
Same idea as in OFB modes : pseudorandom stream followed by masking
However everything can be now parallelized
y3
c2 = y2m2 c3 = y3m3c0
Encryption: Enck(m1 m2 … ml) = (c0 c1… cl)
CTR +1
CTR +2
CTR +3
mod 2n
Pseudorandom stream
Counter (CTR) Mode
m1 m2 m3m
Gen
k
F F F
CTR {0, 1}n
y1 y2
c1 = y1m1
y3
c2 = y2m2 c3 = y3m3c0
Encryption: Enck(m1 m2 … ml) = (c0 c1… cl); Decryption: Easy; PRF enough!
CTR +1
CTR +2
CTR +3
mod 2n
Pseudorandom stream
Encryption / decryption can be parallelized
Can decrypt a specific ciphertext block by just one invocation of F
Chained/Statefull variant is CPA-secure
Highly attractive featuresChalk &Talk Session 2 Topic:
CPA-security of CTR Mode
Current Picture
Randomness Usage
Ciphertext Expansion
Ciphertext Computation Parallizable
Randomness Reusability
Minimal Assumption (PRF/PRP/SPRP)
CPA Security
Theoretical Construction
n / Block = kn
2n / Block = 2kn
Yes
No
PRF
Yes
ECB Mode
No randomness
k n
Yes
---
SPRP
NO
Assume Message Blocks: k; |m| = k n
CBC Mode
n
k n + n
NO
---
SPRP
YES
OFB Mode
n
k n + n
NO (But pre-computable)
YES
PRF
YES
CTR Mode
n
k n + n
YES
YES
PRF
YES
Some Practical Issues
Block length in practice
CBC, OFB, CTR mode uses a random IV as the starting point
For randomizing the encryption process
Ensures that each invocation of F is on a “fresh” input (w.h.p)
If two invocations of F are on the same input --- security issues
Ideal size of IV ? --- depends on block length supported by F
Say the block length supported by F is l
In CTR mode, IV will be a uniform string of l bits
After 2l/2 encryptions, IV will repeat with a constant probability
If l is too short, then impractical security (even if F is a SPRP)
DES with l = 64 --- IV repetition after 232 4, 300, 000, 000 encryptions
Approximately 32 GB of plaintexts --- may not be too large for all applications
Birthday paradox
Some Practical Issues
IV misuse
Assumption made: a uniform IV selected as the starting point
What if the assumption goes wrong (say due to poor randomness generation, incorrect implementation, etc) ?
Problems if IV is repeated
In the CTR and OFB modes, the same pseudorandom stream will be generated Two messages XORed with the same stream --- serious security breach
In the CBC mode, the effect is not that serious
After few blocks, inputs to F will “diverge” (blocks of m are also part of the input)
Solution against IV misuse
Use CBC mode
Or stateful OFB / CTR mode
Conclusion• We discussed the notion of CPA
A very important class of (passive) attack
Solution: pseudorandom function (PRF)
Minimum requirement from any cipher : CPA-security
• CPA-secure cipher requires stronger primitive than PRG
• Fixed-length CPA-secure cipher using PRF
Arbitrary length CPA-secure encryption: divide into blocks and encrypt each block by fixed-length encryption --- theoretical (inefficient)
Practical solution (modes of operation of block ciphers)
Distribution for a TRF For simplicity, consider functions from {0,1}n to {0,1}n
f is a TRF {0,1}n to {0,1}n if picked uniformly at random from
Funcn
>> How many such functions ?
--- 2n. 2n
>> Funcn = {f1, f2, …, f } --- family of all such functions2n. 2n
>> Picking a f from Funcn ≈
>> Each row of the look-up table of f randomly selected from {0,1}n
x1 = 00000…0
y1 R {0,1}n
x2 = 00000…1
y2 R {0,1}n
… …
x2n =
11111… 1y2
n R {0,1}n
>> Prob. that a random look-up table is of f =½n ½n ½nx xx …
Distributions for a PRF
Funcn = {f1, f2, …, f }2n. 2n
Each function corresponds to a n-length key uniformly distributed over {0,1}n
PRFs are keyed functions
>> The key facilitates efficient evaluation of the function
Funcn = {Fk1, …, Fk }2n
|Funcn| >>>>>>>>>>>
|Funcn|
Insecurity of ECB Mode: A practical Example
Think of some practical situation where encrypting using ECB mode is indeed dangerous
Suppose you want to encrypt a black and white image using ECB mode Say a group of pixels in the image corresponds to one block of F
Image to be encrypted
ECB mode
Encrypted image
Encrypted image (via a secure mode)
Source: Wikipedia with imaged derived from Larry Ewing using GIMP
Secure mode
Block-cipher Modes of Operations : Some Practical Issues
Message transmission errors (non-adversarial)
Dropped packets, changed bits, etc
Different modes of operations have different effect
Standard solutions --- error-correction, re-transmission
Message transmission errors (adversarial)
What if the adversary “changes” ciphertext contents ?
Issue of message integrity / authentication
Will be discussed in detail later